Course Transcript

Microsoft Windows Server 2012 R2 -

Configuring Advanced Services: AD Domains
Active Directory Environments
1. AD Infrastructure, domains and forests

2. Windows Server 2012 R2 Domain & Forest Interoperability

3. Windows Server 2012 R2 Trust Relationships

4. Managing Windows Server 2012 R2 Trust Relationships

5. Windows Server 2012 R2 AD Domains and Trusts

AD Infrastructure, domains and forests
Learning Objective
After completing this topic, you should be able to
◾ identify characteristics of Active Directory domains and forests

1. Meet your instructor

Microsoft Windows Server 2012 R2 - Configuring Advanced Services: AD Domains

[Welcome to Microsoft Windows Server 2012 R2 - Configuring Advanced Services: AD

Domains.]

Hello! My name is Jason Gates and I am a Microsoft Certified Trainer, or MCT. In this course,
we are going to ask the question why have multiple domains or why have multiple forests? We
will talk about the different things to think about and consider when designing Active Directory
at that level. So when would I need a different domain? When would I need another forest?
Those are questions of autonomy and isolation. And so, we will evaluate that and talk about
some of the factors around making those important decisions.

We will also look at, okay, so I have multiple domains. How do I provide access and how do I
secure them? So we will talk about different types of trusts and how to secure those trusts
including things like security identifier, or SID, filtering and selective authentication.

2. Understanding domains and forests

Active Directory is a special database called a directory service and it is as important to your
network as the operating system is to your PC; that's because it contains all the user accounts
and security policies, and does all the authentication services for your network. In fact as a
database, it contains a list of all of your network resources, user objects, computer objects,
things like that.

Now Active Directory is made up of several administrative containers that include a forest, the
domain, a tree, organizational units, and a forest is really our starting place because it provides
the primary security boundary. The forest also defines, kind of, the scope of replication and
defines the actual nature of the objects that are going to be stored in the directory in the first
place. Now a forest is made up of one or more domains. In fact, the very first domain is called
the forest root and when you create your forest, you create that first domain at the same time.

[An Active Directory forest contains two domain trees, Domain tree #1 and Domain tree #2.
Domain tree #1 consists of domaina.int as the forest root domain and the domaina.int root
domain includes two child domains, books.domaina.int and pen.domaina.int. The
pen.domaina.int child domain includes one more domain in it, the us.books.domaina.int
domain. Domain tree #2 consists of a child domain domainb.int, which includes two more child
domains, tv.domainb.int and radio.domainb.int. The radio.domainb.int child domain is
connected to an external domain.]
So why have multiple forests? Well there are a lot of reasons why to consider multiple forests.
Remember, the forest is one of the primary definitions of an Active Directory database. It
defines the security boundaries. So one reason to have multiple forests is to divide the
security. A lot of it comes down to who controls the schema. The schema is the template or
defining portion of an Active Directory database that actually identifies the different classes of
objects and their attributes. But it might come down to political, and legal, and other types of
business pressures. You can summarize the reason why to consider multiple forests using this
paradigm here - isolation and autonomy. In the case of isolation, you have a situation where
for business reasons or political reasons, or what have you, you really need to create separate
security boundaries.

You need to keep this data or these services separate from these other administrators, maybe
it's a different business, different organization, a subsidiary, or it has a unique special purpose,
it needs to be isolated; that would dictate having separate forests. But if you want to support
autonomy, that is delegation, well, you can do that with a single forest in a single domain; or in
some cases create multiple domains that support separate domain administrators, but you still
retain the same forest so they're all still subject and part of that same security boundary -
isolation or autonomy.

[The 'Active Directory forest and domain models' table consists of three columns – Design
requirements, Definition, and Recommended designs – and five rows. The first row contains
'Service and data centralization' in the Design requirements column, 'Service administration
and data administrators have the same level of access in AD.' as the Definition, and 'One
forest – One domain' in the Recommended designs column. The second row contains 'Service
isolation' in the Design requirements column, 'Prevents unauthorized administrators from
interfering with AD service management.' as the Definition, and 'Multiple forests' in the
Recommended designs column. The third row contains 'Data isolation' in the Design
requirements column, 'Prevents unauthorized administrators from viewing or modifying some
AD objects like users or computers' as the Definition, and 'Multiple forests' in the
Recommended designs column. The fourth row contains 'Service autonomy' in the Design
requirements column, 'Delegates some or all service management to specific administrators,
but without total isolation.' as the Definition, and 'Multiple forests or One forest – Multiple
domains' in the Recommended designs column. The fifth row contains 'Data autonomy' in the
Design requirements column, 'Delegates AD object administration to specific administrators,
but without total isolation.' as the Definition, and 'One forest – One domain or One forest –
Multiple domains' in the Recommended designs column.]

So what does it mean to be part of the same Active Directory forest? Well remember, a forest
is one or more domains, or domain trees, each participating domain in the forest automatically
trusts the other domains, that's what these double headed arrows represent, and those trust
facilitate accessing resources from one domain to the other. Another important aspect of being
part of the same forest is, all of these domains share the same global catalog and they share
the same schema. Now the global catalog is kind of an index or an abridged version of all of
the different objects inside of this forest, and it facilitates the quick location of objects. So we
are not searching each and every individual domain, we can search the index to locate where
that resource is at, or object is at, and what domain it belongs to.

Now the schema is another important part of this forest and all of these domains share the
same schema because they are part of the same forest. I like to think that the schema is a kind
of empty form, a template of sorts. It is important because it defines, for each domain, what the
different objects are that it needs to know about, like what is a user account. Well a user
account has a first name and a last name, and a password, and what are the default
permissions, and alike. Well those instructions come from the schema. If you change the
schema, well, you are affecting every one of those objects inside the forest.

[The forest of an Active Directory forest contains two domain trees, Domain tree #1 and
Domain tree #2. Domain tree #1 consists of domaina.int as the forest root domain. The
domain.int root domain includes two child domains, books.domaina.int and pen.domaina.int.
The pen.domaina.int child domain includes one more domain in it, the us.books.domaina.int
domain. Domain tree #2 consists of a child domain domain.int, which includes two more child
domains, tv.domainb.int and radio.domainb.int. The radio.domainb.int child domain is
connected to an external domain. All the domains in this forest share the same global catalog,
GC and the same schema. Apart from global catalog and schema, there are two more
important parts of forests: configuration partition and DNS replication.]

So what is a domain? A domain is your most basic administrative unit and has a unique DNS
like name, and it provides an administrative boundary because each domain has its own
administrators. Now these administrators oversee their collection of users, computers, groups,
and other types of network resources. Each of these resources on the network are represented
in the Active Directory database as objects and they are stored inside the domain portion of
the Active Directory. And that means they are under the authoritative control of all those
domain controllers, the security policies, and of course, those administrators. Now the domain
controllers are those draconian yet very helpful servers where Active Directory lives. Keep in
mind, each domain has its own set of domain controllers - one or more. Each computer can
only be a member of one domain at a time.

Now the last thing I want to bring out is, domains are logical units, that means they are not tied
to any geography or any physical location. A domain can be in a single location or it can span
the entire world, just depends on the design.

[A domain tree, Domain tree #1, consists of domaina.int as the forest root domain. The
domaina.int root domain includes two child domains, books.domaina.int and pen.domaina.int.
The pen.domaina.int child domain includes one more child domain in it, the
us.books.domaina.int. A site can have one or more than one domain.]

An important question to ask is, "How many domains do I need?" Well that's going to depend
on several factors. Do you have administrator groups who require autonomy, that is do you
have administrators with their own users and servers that they need to maintain control over?
Maybe they also need to maintain control in regards to security over those users and
computers; or maybe you need to control replication traffic, especially between large regions
like North America and Europe or something like that. Factors such as these might dictate
additional domains. In fact, I even know one company who needed to create separate domains
because of international legal constraints.

Now separate domains mean separate administrators, separate domain policies, separate
names, separate domain partitions, and that separation might be just what you need to solve
your specific business problem. Keep in mind, however, anytime you add an additional
domain, and this pertains to forests as well, anytime you have more than one, well, you
increase cost. Now, I have got three kids, that means three college funds. Of course, we are
talking about domains here not kids, but the principle still applies. The more domains, the more
costs, the more domains, the less merry it might be.

[The factors governing the use of multiple domains are manageability, decentralization, and
requirement of different namespaces.]

Let's talk now a little bit about the implications around a domain boundary. Remember, a
domain is a basic administrative unit, which implies domain administrators. Now those domain
administrators have a lot of responsibility. For one, they are responsible for the domain
controllers, that is those servers which make up a domain, which provide the services within a
domain, which respond to authentication requests. And those servers also contain DNS,
typically, and DNS is important because it makes the Active Directory discoverable. It allows
clients to find the Active Directory and allows servers, domain controllers, to find domain
controllers for replication purposes. So when we talk about the domain boundary, we are
talking about those Active Directory responsibilities that are assigned to the administrator.

Now we also have roles like policy administration, so that domain administrator also is
responsible to deliver those policies to any authenticating client and machine within their
domain. Now these roles, including Group Policy and including the services of an Active
Directory, well, they can key card up but typically that is within a domain. So you can delegate
administrator rights. But the domain administrator themselves, well, they have that primary
responsibility because the domain as a container delivers these services on a per domain
basis. It doesn't authenticate users from other forests, it authenticates users within that specific
domain.

[Domain boundaries are Active Directory responsibilities that are assigned to the administrator.
These responsibilities include: Security – Account Settings Group Policy Audit Policy Domain
database Replication – Domain and AD integrated DNS]

So what's a tree exactly? We have talked about a domain, we have talked about a forest. What
about the Active Directory tree? Well a tree is very unique from the domain and the forest. A
tree is not really an administrative boundary like a domain is; nor is it a security boundary the
way a forest is. A tree really has to do with an identity, so when I think of Active Directory tree I
think of family tree. Take my name for example, Jason Yates, you know. In the olden days I
might be named something like Jason, son of Carl the Miller, or gatekeeper, or whatever; and
that would distinguish me from everyone else, and show who I belong to, and that is what an
Active Directory tree does. It is really about the name, it is really about the identity. So you
have a parent domain, maybe something like brocadero.com. And then you have a child
domain - corp.brocadero.com.

Now notice that the last portion of the name, brocadero.com, implies that it is a child that
belongs to the parent brocadero. You might have separate domains in the same forest with
different names like ENT.local versus brocedero.com. They are part of the same forest so they
replicate configuration and schema information. But because there are separate names, we
consider them separate trees. Now there is no such thing as a tree administrator, there is no
replication between trees, there is no inheritance between parent domain and child domain.
Domain administration is completely separate and yet trees are all about identity for application
and user purposes.
[A sample domain tree, Domain tree #1, consists of domaina.int as the forest root domain. The
domaina.int root domain includes two child domains, books.domaina.int and pen.domaina.int.
The pen.domaina.int child domain includes one more domain in it, the us.books.domaina.int
domain. A tree is more than one domain that shares the same name. It is not an administrative
or replication boundary.]
Windows Server 2012 R2 Domain & Forest
Interoperability
Learning Objective
After completing this topic, you should be able to
◾ recognize how to manage the domain functional level in a given scenario

1. Upgrading domain controllers

Now you might be asking yourself, "Why should I consider Server 2012? I have got a perfectly
functional Active Directory environment now." Well 2012 brings a lot to the table. First of all, it
is built on top of all of the things we like about 2008 R2's Active Directory, for instance, the
Active Directory recycle bin. So when you raise that functional level to 2008 R2, you have a
much easier way of recovering deleted objects. But 2012 brings some of its own features that
really can change the way you do administration. For instance, one of my favorite features is
Dynamic Access Control. Dynamic Access Control, really kind of, brings other technologies
together, simplifies their presentation and management through server manager, and allows
you to control access to resources not just based on group memberships, but allow you to
control access to those resources based on the type of file that they are trying to access, and
the attributes that the user has in the Active Directory. It is called a Claims-based access
model.

And it can take a very complex situation and scenario, and simplify it and make it easier to
administer and manage. Now you might be wondering, well, what about 2012 R2? Well R2
also has some unique features for Active Directory purposes. So let's talk about, for instance,
this new thing called Workplace Join. It is intended to solve a problem regarding devices that
users are bringing into the environment, the Bring Your Own Device, or BYOD, phenomenon
and being able to access applications. How do we provide them access, authenticate them,
and ensure that they are authorized to do so? Well we can use what is known as Web
Application Proxy and Workplace Join, and this is a new feature in 2012 R2. And this also
extends into other areas of other authentication scenarios. We might want to support single
sign-on or multi-factor authentication. These are also technologies in Windows Server 2012
R2, some really exciting stuff in the Active Directory realm.

[A sample domain tree, Domain tree #1, consists of domaina.int as the forest root domain. The
domaina.int root domain includes two child domains, books.domaina.int and pen.domaina.int.
The pen.domaina.int child domain includes one more domain in it, the us.books.domaina.int
domain.]

So now you want to move to 2012 and take advantage of all those great features, how do you
do that? Well let's talk a little bit about upgrading to the new operating system. Now there are
two ways of doing this. You can do an in-place upgrade on your domain controllers and you
can see here that it requires a qualifying operating system. But there is no direct upgrade path
for those 32-bit platforms and some people aren't big fans of upgrades, maybe because of
previous experience. So one of the things that you can do is you can consider a side-by-side
upgrade, which some people call a migration. I call it a side-by-side upgrade, not to confuse it
with other kinds of migrations. But this is all about introducing a new domain controller that is
already running Windows Server 2012 and relying on replication to upgrade it. So what do you
need to do in order to do that procedure?

First of all, you need to make sure your existing Active Directory environment is at least
Windows Server 2003 and a Windows Server 2003 functional level. Then you introduce your
new sever, you join it to the domain, and you install Active Directory and DNS on it. Wait for
that replication to happen. Then at that point, you might need to transfer those flexible single
master roles. Once those are transferred, you have verified replication, you are nearing the
point where you can decommission the old servers, and run nothing but 2012.

Now when you go through this process, consider replacing those older domain controllers with
read-only domain controllers or Server Core installations. In 2012, we have a lot more server
role options than we had in the past and these improve security and reduce maintenance.

[A table containing two columns, Current Windows Server edition and Upgrade options, is
displayed. The upgrade option for Windows Server 2008 Standard with SP2 is Windows
Server 2012 R2 Standard. The upgrade option for Windows Server 2008 Enterprise with SP2
and Windows Server 2008 Datacenter with SP2 is Windows Server 2012 R2 Datacenter. The
upgrade option for Windows Web Server 2008 is Windows Server 2012 R2 Standard. The
upgrade option for Windows Server 2008 R2 Standard with SP1 is Windows Server 2012 R2
Standard. The upgrade option for Windows Server 2008 R2 Enterprise with SP1 and Windows
Server 2008 R2 Datacenter with SP1 is Windows Server 2012 R2 Datacenter. The upgrade
option for Windows Web Server 2008 R2 is Windows Server 2012 R2 Standard. The upgrade
option for Windows Server 2012 Standard is Windows Server 2012 R2 Standard. The upgrade
option for Windows Server 2012 Datacenter is Windows Server 2012 R2 Datacenter.]

2. Domain and forest functional levels

What is a functional level? Now a functional level is kind of an Active Directory version. When
you raise the functional level, you typically enable new features. And there are two types of
functional levels - domain functional levels and forest functional levels. Now to change these
functional levels, you have to be part of a respective group. So to change the domain
functional level, you have to be a part of the domain administrators group, for the forest
functional level, you need to be part of the forest administrators group, which is called
Enterprise Admins. Now in 2012, there is less reliance on these functional levels to enable new
features. For instance, the 2012 forest functional level doesn't actually provide any new
features at all.

However, you can still gain quite a bit of benefit by moving your functional level from 2003 to
2008, 2008 R2, because that's going to give you things like the Active Directory, or AD, recycle
bin and fine-grained password policies. If you move to the 2012 domain functional level, well,
you'll gain Kerberos armoring and support for claim-based authentication, which are important
technologies behind Dynamic Access Control.

[A domain functional level should be raised on a PDC emulator, which must be a domain
admin. A forest functional level must be raised on a Schema Master, which must be an
Enterprise admin. All domain controllers OS versions must support the functional level. Also, a
domain functional level cannot be lower than forest functional level but can be equal to or
higher than forest functional level.]

Now moving to a functional level is usually a one-way operation, at least that has been the
case for quite a while now. 2012 actually gives us the ability to rollback. And why would you
ever want to do this? Well for most cases, you are not going to want to do this or be able to do
this. But in one situation, you might actually rollback, so here is an example. Remember with a
functional level, we are assuming that all of the operating systems are running at the same
version. So if I'm at the 2012 functional level, all of my domain controllers are at 2012, the
domain controllers in particular.

Now if I need to use an application that requires 2008 like the Active Directory migration tool,
which requires 2008 R2, well, in order to actually use that tool I have to have a 2008 R2
domain controller. Well I can actually, in 2012, go back down to that 2008 R2 functional level,
introduce that older domain controller and be able to run that tool. But in most cases, in most
situations, you are not going to need to rollback and I would encourage you to consider this a
forward operation. So be sure you are ready to raise that functional level because in most
cases there is no going back.

[A table displaying various rollback options for the different domain functional levels contains
three columns, Domain functional level, Forest functional level, and Rollback, and three rows is
displayed. For 'Windows Server 2012 R2' domain functional level and forest functional level,
no rollback option is provided unless the forest functional level is lowered first. For 'Windows
Server 2012 R2' domain functional level and 'Windows Server 2012' forest functional level, the
rollback option is Windows Server 2012. For 'Windows Server 2012 R2' domain functional
level and 'Windows Server 2008 R2' forest functional level, the rollback option is either
Windows Server 2012 or Windows Server 2008 R2.]

3. Demo: Managing functional levels

In this demonstration, I want to talk about upgrading an existing domain controller to 2012 R2.
This is a 2008 R2 domain controller and I'm going to upgrade it. Now couple of things before
we jump into the actual button clicking and that is, you need to, of course, analyze your current
environment, and prepare, and plan, that is going to be important. For instance, one of the
things I had to do is actually run adprep in order to update my schema to support a 2012
domain controller. And other things to think about, has to do with the compatibility of
applications in your environment and dependencies with Active Directory, and verify, and
validate your Active Directory health. And there are a variety of ways of doing this, Domain
Controller Diagnosis, or DCDIAG, and looking at DNS, and other things.

Of course, have a good recovery plan in place and verify your requirements. There are some
important things to remember. You have to have a qualifying operating system and it supports
only a 64-bit in terms of in-place upgrades, so a couple of things to think about. Now for me, I
had to run adprep, you can see here, /forestprep. I have got my domain environment
upgraded, its schema went from version 47 to version 69, so that part is taken care of.

Now other things that I took care of is here you can see, I have got a 64-bit Operating System.
It's again, currently, a domain controller for the ent domain. So I meet those important
requirements. I have already started set up and I have already indicated that I want to use an
in-place upgrade, in the sense that I ran set up on the local machine. So I'm actually running
this not in Windows PE but on the local machine. So now what I need to do is choose what
edition I want to upgrade to. Server Core is a great choice. I'm going to go ahead and choose
server with a GUI. Server Core is just going to be a bit more secure, less patching, and
maintenance.

[A notepad file is displayed that contains the following things to be checked before upgrading
an existing domain controller: 1) Learn, Analyze, Plan 2) Prepare environment - adprep may
be required - compatibility! - check ADDS health 3) Backup (especially certificates too!) 4)
Verify Requirements: - AD DS cannot be installed on: *Hyper-V host *Remote Desktop
Connection Broker - x64 only - 2003 functional level at least - qualifying OS The instructor
navigates to the Administrator: Command Prompt window, which displays the following
cmdlets: D:\>cd support \adprep D:\>cd support \adprep>adprep /forestprep ADPREP
WARNING: Before running adprep, all Windows Active Directory Domain Controllers in the
forest must run Windows Server 2003 or later. You are about to upgrade the schema for the
Active Directory forest named 'ent.local', using the Active Directory domain controller (schema
master) 'DC1.ent.local'. This operation cannot be reversed after it completes. [User Action] If
all domain controllers in the forest run Windows Server 2003 or later and you want to upgrade
the schema, confirm by typing 'C' and then press ENTER to continue. Otherwise, type any
other key and press ENTER to quit. c Current Schema Version is 47 Upgrading schema to
version 69 Verifying file signature Connecting to "DC1.ent.local" Logging in as current user
using SSP1 Importing directory from file "D:\support\adprep\sch48.Idf" Loading entries-----------
----------------------------------------------- 38 entries modified successfully. The command has
completed successfully. The instructor navigates to the System page of the System and
Security option in the Control Panel, which displays the basic information of the instructor's
computer. The instructor minimizes this window and navigates to the Windows Setup dialog
box, which displays a table with three columns, Operating system, Architecture, and Date
modified. The first row in table contains 'Windows Server 2012 R2 Datacenter (Server Core
Installation)' as the Operating system, 'x64' as the Architecture, and '8/22/2013' in the Date
modified column. The second row in the table contains 'Windows Server 2012 R2 Datacenter
(Server with a GUI)' as the Operating system, 'x64' as the Architecture, and '8/22/2013' in the
Date modified column. The first row is already selected. The instructor selects the second row
and clicks sNext. As a result, the License terms page is displayed in the Windows Setup dialog
box.]

Once I select Next to this, I have my end-user license agreement and then I need to tell set up
what I'm doing. So is this going to be an in-place upgrade or I'm doing a clean install? I'm
going to choose in-place upgrade. Next it evaluates my environment, my current system. And if
I didn't run adprep, it would actually give me an error message here. If I don't have a
qualifying operating system or there are some potential compatibility issues, it might alert me
here. In this case, I might see some warning messages, of course, each are important to pay
attention to, but I can advance and start that upgrade.

So you can see how easy it is. The important work is going to be making sure your
environment is prepared, and you have evaluated, and you have planned properly.

[The Windows Setup dialog box is displayed with the License terms page open. It contains
Microsoft Software license terms for Microsoft Windows Server 2012 R2 Datacenter. The 'I
accept the license terms' option is also present in the dialog box. The instructor selects the
option and clicks Next. As a result, the instructor navigates to the next page that includes a
question – Which type of installation do you want? – and the following two options associated
with it: Upgrade: Install Windows and keep files, settings, and applications and Custom: Install
Windows only (advanced) This page also contains the 'Help me decide' link. The instructor
selects the 'Upgrade: Install Windows and keep files, settings, and applications' option, which
displays a progress bar that checks the compatibility. Once the compatibility is checked, the
Compatibility report (saved on your desktop) page is displayed, which includes some warning
messages. The instructor clicks Next and navigates to the Upgrading Windows page of the
Windows Setup dialog box, which includes a list of steps for upgrading the system. These
steps are as follows: Copying Windows files (0%) Collecting files, settings, and applications
Getting files ready for installation installing features and updates Almost done moving files,
settings, and applications]

Now another way to upgrade your existing environment to 2012 is to introduce a domain
controller that is running 2012 or 2012 R2, and rely on replication, and then you can
decommission the older domain controllers, as you see fit. Now in this case, I have actually got
a 2012 machine, it is a member of an existing forest and I have tried to actually promote it. But
you can see here, I'm running into a requirement failure. So I need to actually make sure that
my existing environment is running Windows Server 2003 as its functional level. Now I have
got my 2003 domain controller here, this is the domain environment I'm trying to join. A direct
upgrade is not available to me, as you can see the setup here is failing.

But I can support the scenario where I introduced that domain controller, provided I raise the
functional level. So let's do that. And there we go. I have raised the functional level for the
domain. I also need to do this for the actual forest and that requires that I use the tool Active
Directory Domains and Trusts. So let me bring that tool up here and we'll raise the forest
level, there we go. So I have actually prepared my existing environment to support a 2012
domain controller. I go back now, click Next again. It is going to re-evaluate and hopefully we
can advance at this point.

[The Upgrading Windows page of the Windows Setup dialog box is displayed, which includes
the following steps for upgrading a system: Copying Windows files (0%) Collecting files,
settings, and applications Getting files ready for installation installing features and updates
Almost done moving files, settings, and applications The instructor navigates to the Active
Directory Domain Services Configuration Wizard. This page contains a navigation pane in the
left that includes the following tabs: Deployment Configuration, Domain Controller Options,
Additional Options, Paths, Review Options, Prerequisites Check, Installation, and Results. The
Deployment Configuration tab is already selected and displayed in the right section. This
tabbed page contains the following options to perform the deployment operation: Add a
domain controller to an existing domain Add a new domain to an existing forest Add a new
forest Next is the 'Specify the domain information for this operation' section, which contains
'easynomadtravel.com' as the Domain and a Select button, associated with it.
'EASYNOMADTRAVEL\administrator (Current user)' is selected as the credential to perform
the operation. This tabbed page also contains the following error message at the top of the
tabs with a 'Show more' link: Verification of replica failed. The forest functional level is
Windows 2000. To install a Windows Server 2012 R… Show more The instructor navigates to
the CD drive of the system and clicks the setup.exe file, which displays an error message
saying that the procedure entry point__CxxFrameHandler3 could not be located in the dynamic
link library msvcrtl.dll. The instructor clicks OK in the message box, which displays another
error message box that says "The file 'autorun.dll' could not be loaded or is corrupt. Setup
cannot continue. Error code is [0x7F]." Next the instructor navigates to the Active Directory
Users and Computers window, which includes 'Active Directory Users and Computers
[server18.easy…]' as the root node and two sub-nodes: Saved Queries and
easynomadtravel.com. The easynomadtravel.com sub-node is already expanded and contains
the following folders: Builtin Computers Domain Controllers ForeignSecurityPrincipals Users
North South East The folders contained in the easynomadtravel.com sub-node are also
displayed in the right section. The instructor right-clicks the easynomadtravel.com sub-node
and selects 'Raise Domain Functional Level' option from the shortcut menu, which displays the
'Raise Domain Functional Level' dialog box. This dialog box contains 'easynomadtravel.com'
as the Domain name, 'Windows 2000 mixed' as the Current domain functional level, and
'Windows 2000 native' is selected for the 'Select an available domain functional level' option.
The instructor selects 'Windows Server 2003' as the domain functional level and then clicks the
Raise button. A confirmation box is displayed, which says 'This change affects the entire
domain. After you raise the domain functional level, it cannot be reversed.' The instructor clicks
OK and then a message box is displayed, which says 'The function level was raised
successfully. The new functional level will now replicate to each domain controller in the
domain. The amount of time this will take varies, depending on your replication topology.' The
instructor clicksOK in the dialog box and navigates back to the Active Directory Users and
Computers window. The instructor navigates to the Active Directory Domains and Trusts
window, which contains 'Active Directory Domains and Trusts' as the root node and
easynomadravel.com as the sub-node. The instructor right-clicks the root node and selects the
'Raise Forest Functional Level' option from the shortcut menu, which displays the Raise Forest
Functional Level dialog box. The Forest name is 'easynomadtravel.com', Current forest
functional level is 'Windows 2000' and 'Windows Server 2003' is selected as the available
forest functional level. The instructor retains all the options as is and clicks Next. As a result, a
message box displaying the following message is displayed: The functional level was raised
successfully. The new functional level will now replicate to each domain controller in the forest.
The amount of time this will take varies, depending on your topology. The instructor clicks OK
and then navigates to the Active Directory Domain Services Configuration Wizard. The
instructor retains all the selected options as is in the Deployment Configuration tab and moves
to the next tab – Domain Controller Options.]

Now a couple of things, I'm not using dcpromo, I actually use Server Manager's add roles
wizard. And then there is an option after the wizard completes to promote the server as you
can see here, Promote this server to a domain controller. So I have actually launched into
this additional wizard here and I'm actually able to make it an additional DC replica, a
participant in the existing domain. Now I have several different options here, I can define the
very important directory service restore password, I'm going to go ahead and do that here. I
get a warning saying that this machine cannot be a read-only domain controller. It is an
explanation, really, as to why this is ghosted out and that is because read-only domain
controllers, or RODCs, require 2008 domain controllers that are writable.

And since I don't have any, it's telling me that's the reason that option is not available. But the
other options are listed as well as being able to choose a different site for this domain
controller. I have got a couple of DNS messages. Then I have the ability to Install from media
or actually indicate which domain controller I want to replicate from.

[The Domain Controller Options tab is already selected in the Active Directory Domain
Services Configuration Wizard. This tabbed page contains the following options for the 'Specify
domain controller capabilities and site information': Domain Name System (DNS) server Global
Catalog (GC) Read only domain controller (RODC) The 'Domain Name System (DNS) server'
and 'Global Catalog (GC)' options are already selected. The instructor navigates to the Results
tab of Add Roles and Features Wizard in the Server Manager Window and points to the
'Promote this server to a domain controller' link. Then the instructor navigates back to the
Domain Controller Options tab of the Active Directory Domain Services Configuration Wizard.
'Default-First-Site-Name' is already selected in the Site name drop-down list. For the 'Type the
Directory Services Restore Mode (DSRM) password' options, the instructor enters the
password and confirms the same. Then the instructor clicks Next and navigates to the DNS
Options page under the Domain Controller Options tab. The instructor does not make any
changes, clicks Next, and navigates to the Additional Options tab. This tabbed page contains
'Install from media' option under 'Specify Install From Media (IFM) Options' section and the
'Replicate from' option with 'Any domain controller' option already selected in the 'Specify
additional replication options' section. The instructor then selects the
'server18.easynomadtravel.com' option from the 'Replicate from' drop-down list.]

So I have created a backup. I can, elect to, actually use this option and I can reduce the
amount of replication traffic, or I can indicate the server I want to pull from. And then I got
some standard promotion questions, if we have ever done this before, questions like 'Where to
put the database?', 'Where to put the log files?', those types of things.

So I'm going to go ahead and finish this wizard here. It's going to complete with the promotion.
But you can see that the wizard actually does a lot of the work for me. It prepares the
environment so I don't need to run adprep, I don't need to run dcpromo, that's all part of the
actual wizard. Once I meet the requirements, I click Install and the promotion can complete.

[The Additional Options tabbed page is displayed in the Active Directory Domain Services
Configuration Wizard where the 'server18.easynomadtravel.com' option is selected from the
'Replicate from' drop-down list. The instructor clicks Next and navigates to the Paths tab first
and then to the Review Options tab without making any changes. The instructor reaches the
Prerequisites Check tab, which displays the result of the prerequisites check in the View
results section. The instructor then clicksInstall and the instructor navigates to the Installation
tab of the wizard.]
Windows Server 2012 R2 Trust Relationships
Learning Objective
After completing this topic, you should be able to
◾ recognize trust relationship types

1. Trust relationships
If you have multiple domains and users in each one of those domains and they want to access
resources, you need trust between those domains. You see, remember what a domain is. A
domain is a separate kingdom and has its own domain administrators, its own dominion. And
so users within a domain can authenticate to their own domain controllers and access
resources. But if they reach across those domain boundaries and try to access a resource in
another domain, another kingdom, well the domain controllers there are not going to trust them
if a trust relationship hasn't been established. So what we do in Active Directory is we can
create these trust relationships. And if it is part of the same forest, these trust relationships are
automatically created for us. Now let's talk a little about the characteristics of a trust. A trust
has direction. It is a one-way trust or a two-way trust, that is you can have a domain that trusts
users from the other domain but not vice versa, that is a one-way trust.

If it goes both ways, well then, of course, it is a two-way trust and users from either domain can
access resources in the other domain, crossing over that secure channel called a trust. Now
trusts are either transitive or nontransitive, that means they either work explicitly or they also
work implicitly. So in this example here, you have three domains. Now the middle domain has
a trust relationship with the other two but there is no explicit trust relationship between easy
nomad and booking; and yet the two domains trust each other because the trust that we have
here is transitive, because they both mutually trust the domain in the middle. If these trusts
were not transitive then we would have to create an explicit domain between easynomadtravel
and booking; and that has a lot to do with the nature of the trust themselves. They are either
transitive with allowing implied trust or they are nontransitive where they have to be explicit.

[Three domains, easynomadtravel.com, la.easynomadtravel.com, and

booking.la.easynomadtravel.com, have two-way trust relationship established between them.]

When we talk about trust, we typically indicate them in our diagrams with an arrow, and we
indicate who is doing the trusted, who is doing the trusting and who is the trusted, and it is
always really confusing. So we have got this trusting domain and we draw the arrow from the
trusting domain, and we point to the domain that contains the user accounts; that is our trusted
domain.

Now what's interesting about this is that the access of the users always goes against the
arrow. So in this example here, users from the trusted domain access resources from the
trusting. And of course, this is going to be different with a two-way trust; you would have
arrows going in both directions and both domains would be trusting and trusted. When it
comes to understanding trust, recognize this designation, trusting versus trusted, and the
direction of that arrow points. It always points to the trusted domain but the actual resource
access is against the arrow.

2. Trust types
Now if I have a need to access resources in a separate forest then I need to create what is
called a forest trust. And now we are not talking about the trust that is automatically created
within a forest, we are talking about a trust that you create or the administrators create
between separate forests to access resources. Now let's talk a little about the requirements for
this. First of all, you need to be a domain administrator within the forest root domain or be part
of the enterprise admins group. And of course, you need to have a coordination here, so that if
you have separate administrators in the other forest, well, of course, they also need to work
with you in order to set this up. You can't impose a trust onto another forest unless you have
privileges in that other forest as well. So this might require some coordination. Another very
important requirement is name resolution. Both forests have to be able to resolve each other's
names.

And I think that's the biggest hurdle to ensure that you have domain controllers that can find
each other, so address that DNS name resolution. Now once you have addressed those, you
have the proper permissions. The next question is, 'What kind of trust are you going to need?'
Don't grant a two-way trust if you don't need a two-way trust. If you only have users from one
forest accessing resources on the other, then a one-way forest trust is all that you need.
Another thing to know is that these trusts are transitive that means child domains and users in
those child domains can go across that forest trust to access resources in the other forest.

[A forest consists of easynomadtravel.com domain and two child domains under it,
laeasynomadtravel.com and ny.easynomadtravel.com. The interswift.com domain also
contains two child domains under it, la.interswift.com and nyinterswift.com. There are three
types of forests trusts: One-way Two-way Transitive]

Another type of trust that you can create is called the external trust. Now this differs from the
forest trust in a couple of ways. First of all, an external trust is used for really older Windows
domain environments like a Windows 2000 Active Directory or an NT 4.0 domain environment.
And so you have got a newer Active Directory environment and there is an older one and you
want to exchange resources, well, your only option is to create an external trust. Now like the
forest trust these trust can be one-way or two-way. But unlike the forest trust they are
nontransitive.

So anywhere you need to provide that path of access, so if you have multiple domains on
either side, well, that is going to require multiple trust. Now keep in mind, many other
requirements for creating an external trust also are the same as a forest trust. So you need to
have domain admin rights in both domains and you need to make sure that DNS is providing
name resolution for both domains.

[A forest consists of easynomadtravel.com domain and two child domains under it,
laeasynomadtravel.com and ny.easynomadtravel.com. The interswift.com domain also
contains two child domains under it, la.interswift.com and nyinterswift.com, where
la.interswift.com domain is an NT 4.0 Domain. There are three types of external trusts: One-
way Two-way Nontransitive]
Now we all like shortcuts, right, because shortcuts make it faster to get to where we need to
go. Well when it comes to trust, you also can create what is known as a shortcut trust. Now it is
not likely you are going to need this unless you are in one of those situations where you have
multiple domains, and these domains require users to extend themselves across multiple
trusts to access resources. So there is multiple trust that they actually cross to build that
authentication path before they can request the resource they are looking for. Now that means
slow logon times, you know, a user is moving from one domain to another, and they have to
talk to that local domain, which then talks to a domain controller, or DC, in the parent domain,
which talks to a DC across another trust in this other domain. Well that all takes time.

So one of the things you can do to improve the authentication wait is to create a shortcut. A
shortcut trust is an explicit trust that you create particularly between children, not necessarily,
but that's a common scenario. So that shortens the path, leaves the parent out of the loop, so it
is a faster authentication path. Now these trusts can be one-way or two-way and they are
transitive because they are using the, kind of, current Active Directory technology. We are not
talking about creating a trust with an older legacy domain, as is the case with an external trust.
We are talking about newer domains; so they are going to be transitive.

[A forest consists of easynomadtravel.com domain and two child domains under it,
laeasynomadtravel.com and ny.easynomadtravel.com. The two child domains of
easynomadtravel.com domain share a shortcut trust relationship between each other. Also, the
easynomadtravel.com shares a shortcut trust relationship with the interswift.com domain.
There are three types of shortcut trusts: One-way Two-way Transitive]

We have talked about, now, the forest trust, the external trust, the shortcut trust; this is the
fourth and final type of trust that you can create. It is called the realm trust. Now the realm
trust, really, is used to create a trust relationship with a non-Windows environment. Now this
non-Windows environment needs to support Kerberos and that is because Active Directory is a
Kerberos based environment; that is its authentication protocol. And so we can connect to
other Kerberos based systems like UNIX based systems that support Kerberos version 5 and
create a trust relationship between them.

Now that can be a one-way or a two-way trust and these trusts can be either transitive or
nontransitive. So in many ways they don't differ very much from the other types of trusts that
we talk about.

[A forest consists of easynomadtravel.com domain and two child domains under it,
laeasynomadtravel.com and ny.easynomadtravel.com. Realm trust offers cross platform
operability and hence easynomadtravel.com domain shares a realm trust relationship with the
interswift.com domain, which is present in a non-Windows environment. There are three types
of shortcut trusts: One-way Two-way Transitive or Nontransitive]
Managing Windows Server 2012 R2 Trust
Relationships
Learning Objective
After completing this topic, you should be able to
◾ describe trust relationship configuration options

1. Securing trust relationships

A trust provides an important authentication path between domains and forests and realms.
But how do we ensure the security of these trusts? Well trusts have several security features
that make them resistant to certain types of abuse. For instance, this one here, security
identifier, or SID, filtering. SID filtering prevents rogue administrators from exploiting the SID
history feature in Active Directory.

Now you may not be familiar with SID history. SID history is very helpful when you are doing a
migration, when you are moving a user account from one domain into another, because you
can enable it to access old resources and new because it can remember multiple SIDs. But it
can also be abused and to prevent that abuse a trust can enable SID filtering enforcing only
specific SIDs. Of course, if you are doing a migration, you might need to turn off SID filtering.
But in its best practice if you don't need SID history, leave SID filtering turned on.

[A security feature called SID filtering is meant for trusts with domains in another forest. It can
be enabled or disabled for external or forest trusts. It prevents malicious users assigning
themselves rights in a trusting domain. Two domains, easynomadtravel.com and
interswift.com, share a two-way trust relationship with each other. Both these domains use the
SID filtering security feature of trusts.]

Another way to create a secure trust is to use selective authentication. Of course, one of the
purposes of a trust is to allow users from one domain to access resources in another domain.
But when you do that you will allow any and all users access. What if you want to restrict that
to very specific users? Well that's where selective authentication comes in. To better secure
your trusting domains from users in the trusted domain, you can use selective authentication,
because it restricts access across the trust only to authorized users.

One way I like to think of this is like a firewall. When selective authentication is enabled, only
those users who are explicitly listed in the properties of the resource will be actually allowed to
authenticate over the trust. This is another best practice when you need to secure your trust.

[Two domains, easynomadtravel.com and interswift.com, share a two-way trust relationship

with each other. Selective authentication is enabled on external trusts and forest trust where
the forest functional level is set to Windows Server 2003. It restricts resource access to those
given explicit permissions.]
2. Name suffixes
User objects in Active Directory can contain an attribute called a UPN or user principal name.
And this user principal name looks not much different from an e-mail address and it is an
alternative that they can use when logging into a computer. So when you get that log on
screen, you can use the traditional approach, which is that domain prefix backslash (\)
username; or you can as use the UPN approach like Jason@hotmail.com. You see the suffix
in the UPN that is the hotmail.com, well, that is used to determine which domain I need to
authenticate to. And what's interesting is the UPN suffix doesn't actually have to match the
name of the domain. So my suffix might be hotmail.com but my actual domain name might be
like corp.org; and the reason for that is because the administrator has authorized hotmail.com
as a UPN suffix in the forest and it all gets resolved within the active directory. It gets a little bit
more complicated, though, when we have multiple forest and multiple UPNs that are in use. At
the time a trust is created, those UPN names are examined for routing purposes and if there
are any conflicts detected, well, then the time the trust is created that will the administrator will
be alerted to that point.

Those suffixes are useful, though, when it comes to actually routing authentication request
over those trusts. So in my example, let's say I go to a separate domain that has a trust to my
home domain and I log in as Jason@hotmail.com. Because my suffix is part of that trust or
been identified during the creation of that trust, it knows to route at hotmail.com across the
trust to my home domain. But what if a suffix is added after the trust has been created? Well it
may not be included as part of that trust routing information. So this is where the administrator
might need to come in and control name suffix routing on the actual trust. And this can also be
a security feature, you can allow or disallow certain name suffixes over the trust.

[Two domains, easynomadtravel.com and interswift.com, are available where the

easynomadtravel.com domain has 'user@easynomadtravel.com' as the UPN.]

3. Demo: Configuring trust relationships

In this demonstration, I want to look at creating a trust. I have two Active Directory domains, I
have corp.brocadero.com and ent.local. And what I need to do is I need to allow a group from
ent.local to be able to access resources in the corp.brocadero.com. That means that this
particular domain needs to be the trusted domain or 'ed', as we put it, and this domain here
needs to be a trusting. I don't need a two-way trust, I just need a one-way trust facilitating this
level of access. Now I have already, actually, done the first part of this on the ent site.

So here in the actual domain that is being trusted, I created one half of the trust. If I go to the
Properties here, I'm in the Active Directory Domains and Trust tool. And I go to the properties
of the trust, I can see that it is an incoming trust. And it tells me that users in this domain can
be authenticated in the other domain and I can validate this if I need to. Now this is only half of
it though, I need to create the other half. And so I'm going to switchover now to the other
server. This is the domain controller, now, of the other domain of corp.brocadero.com. And I'm
actually in the same tool, I'm in Active Directory Domains and Trusts. But as you can see there
is no trust here created, the other half of the trust is not been established yet.

[A paint window containing two domains, CORP.BROCADERO and ENT.LOCAL, is displayed

where CORP.BROCADERO is the trusting domain and ENT.LOCAL is the trusted domain.
These domains share a one-way relationship. The instructor navigates to the Active Directory
Domains and Trusts window, which contains 'Active Directory Domains and Trusts' as the root
node. The instructor right-clicks the ent.local sub-node under the root node and selects the
Properties option from the shortcut menu. As a result, the ent.local Properties dialog box is
displayed, which contains three tabs – General, Trusts, and Managed By – where the Trusts
tab is already selected. This tab contains two sections, Domains trusted by this domain
(outgoing trusts) and Domains that trust this domain (incoming trusts). Both these sections
include a table each with three columns, Domain Name, Trust Type, and Transitive, along with
two buttons Properties and Remove. The table in the second section contains one row where
'corp.brocadero.com' is the Domain name, 'Forest' is the Trust Type, and 'Yes' is the value in
the Transitive column. This dialog box also contains the 'New Trust' button at the bottom. The
instructor selects the first row and clicks the Properties button, which displays the
corp.brocadero.com Properties dialog box. This dialog box contains two tabs, General and
Name Suffix Routing. In the General tab, 'ent.local' is the value in 'This Domain' field,
'corp.brocadero.com' is the value in the 'Other Domain' field, and the Trust Type is 'Forest'.
The 'Validate' button is used to confirm or reset the trust relationship and update its routed
name suffixes. The 'Save As' button is used to save a file with the details about the status of
the names associated with the trust. This dialog box also contains the OK, Save, Apply, and
Help buttons. The instructor navigates to another Active Directory Domains and Trusts window
where the corp.brocadero.com Properties dialog box is displayed with the Trusts tab already
selected.]

So that's what I'm going to do now. I'm going to click New Trust and I have the New Trust
Wizard, and I need to put in the name with that other domain, which is ENT.LOCAL. And
because these are between two Active Directory environments, I got a 2008 R2 environment
on one and 2012 here, I can choose a Forest trust.

Now for older environments like NT 4.0 or Windows 2000, I could elect to use the External
trust. Now I need to decide is this Two-way, One-way: incoming, or outgoing. This is going
to be a One-way: outgoing. My scenario doesn't dictate or need a Two-way and so usually
want to go with the least level of access. Don't grant more access than you actually need. So
I'm going to do One-way: outgoing. Now this is where it says, "Do you want to create the trust
in both sides at the same time from this wizard?" So if I had administrator privileges in both
forests, I could actually provide those credentials and establish the trust using the wizard only
once.

In my case, I'm simulating a typical situation where you might have administrators in different
forests who have to coordinate the actual establishing of the trust. So one site creating their
part, the other site creating theirs, so I'm going to choose This domain only.

[The Trusts tabbed page is displayed in the corp.brocadero.com dialog box of the Active
Directory Domains and Trusts window. The instructor clicks the New Trust button in the dialog
box, which displays the New Trust Wizard dialog box with the welcome page open. The
instructor clicks Next to navigate to the next page, which is the Trust Name page and asks the
instructor to type the name of the domain, forest, or realm for the new trust. The instructor
enters 'ENT.LOCAL' as the Name and then clicks Next to navigate to the next page – Trust
Type. The Trust Type page contains two options, External trust and Forest trust. An external
trust is a non-transitive trust between a domain and another domain outside the forest. A non-
transitive trust is bounded by the domains in the relationship. A forest trust is a transitive trust
between two forests that allows users in any of the domains in one forest to be authenticated
in any of the domains in the other forest. The External trust option is already selected. The
instructor selects the Forest trust option, clicksNext, and navigates to the next page – Direction
of Trust. The Direction of Trust page enables the instructor to select the direction of trust.
There are three options available for selecting the direction of trust – Two-way, One-way:
incoming, and One-way: outgoing. The instructor selects the last option, One-way: outgoing,
clicks Next, and navigates to the next page – Sides of Trust. The Sides of trust page enables
the instructor to create both sides of the trust relationship. This page contains two options for
the 'Create the trust for the following' field - This domain only and Both this domain and the
specified domain - where 'This domain only' option is already sleeted. The instructor retains
the selection, clicks Next, and navigates to the next page – Outgoing Trust Authentication
Level. The Outgoing Trust Authentication Level page enables the instructor to select the scope
of authentication for users from ENT.LOCAL forest. It contains two options, Forest-wide
authentication and Selective authentication, where the Forest-wide authentication option is
already selected.]

Now this is an important question. This is the level of authentication I want to permit. How
many users from that other domain do I want to allow with grant access within my domain? Do
I want to be very selective or do I want to permit any users? And so I'm going to choose
Selective authentication because I only need one particular group to be granted access. And
then I need to put a password on and it warns me my caps lock is on so I'll just fix that. This is
a password, by the way, that was also established on the other half of the trust in the other
domain so those passwords need to match. Click Next here, Finish this up, there we go.

Now that portion of the trust is complete. I'm not quite finished with this. I can go further by
clicking on Properties, I can go in and have a look at the details of this trust. Notice that this is
the outgoing portion whereas in the other example of the other domain, we have the incoming.
Name Suffix Routing has to do with what names are going to be used to actually route for
authentication purposes. When I click the Refresh button I can see that these are the names
in the other forest.

[The Outgoing Trust Authentication Level page of the New Trust Wizard is displayed with two
options, Forest-wide authentication and Selective authentication, where the Forest-wide
authentication option is already selected. The instructor selects the Selective authentication
option, clicks Next, and navigates to the next page – Trust Password. The Trust Password
page enables the instructor to enter a unique password for the new trust. The instructor enters
the password twice, once in the Password field and then in the Confirm trust password field.
Then the instructor clicks Next and navigates to the next page – Trust Selections Complete
page, which displays the summary of the option selected. The instructor clicks Next and
navigates to the Trust Creation Complete page, which displays the status of the changes
made. The instructor clicks Next and navigates to the next page – Confirm Outgoing Trust. The
Confirm Outgoing Trust page contains two options for the question 'Do you want to confirm the
outgoing trust?' The options are as follows: No, do not confirm the outgoing trust Yes, confirm
the outgoing trust The 'No, do not confirm the outgoing trust' option is already selected. The
instructor retains the selection, clicks Next, and navigates to last page of the wizard. The
instructor clicks Finish on this page and the new trust is populated in the table contained in the
Domains trusted by this domain (outgoing trusts) section. The instructor selects the new row in
the table and clicks the Properties button associated with that section. As a result, the ent.local
Properties dialog box is displayed, which contains three tabs, General, Name Suffix Routing,
and Authentication. The General tab is already selected. Then the instructor navigates to the
Name Suffix Routing tab, which contains a table with three columns, Suffix, Routing, and
Status. The instructor clicks the Refresh button placed below the table and the table gets
populated with three rows. The first row contains '*.brocadero.com' as the Suffix, 'Disabled' in
the Routing column, and 'New' in the Status column. The second row contains
'*.easynomadtravel.com' as the Suffix, 'Disabled' in the Routing column, and 'New' in the
Status column. The third row contains '*.ent.local' as the Suffix, 'Enabled' in the Routing
column, and the Status column is empty. This tab also contains four buttons, Enable, Disable,
Refresh, and Edit.]

Now notice I have got *brocadero.com in the other forest. Now that might mean a variety of
reasons, maybe they were associated with the same parent company or something. Notice
that routing has been Disabled for that name and I can actually change this if I need to. So if I
want to enable a particular name, I can click Enable and that way users who access resources
with this suffix: easynomadtravel.com, well, that authentication request will be passed over this
trust to the easynomad domain, which is ent.local. So this allows me to associate multiple
authentication labels to a specific authenticating forest. I can also go further into this if there is
a portion of the name I want to prevent authentication from occurring against, or I can say I
don't want to allow anyone using support.brocadero.com, maybe I anticipate a domain
coming online, easynomadtravel.com might be more appropriate because we're referring
to the other domain, there we go.

So this is actually a child domain of easynomadtravel.com. I'm saying any user with a suffix
that includes support was not going to actually route that across the trust. So you can make
those kinds of exceptions if those are needed. And then if I want to change the Authentication
scope from forest-wide to selective, I can do that here.

[The Name Suffix Routing tab of the ent.Local Properties dialog box is displayed. The
instructor selects the second row and clicks the Enable button. As a result, the value in the
Routing column of the table changes from 'Disabled' to 'Enabled'. The instructor selects the
second row and clicks the Edit button, which displays the 'Edit easynomadtravel.com' dialog
box. The 'Name suffixes to exclude from routing to easynomad.com' field is empty and it has
an Add button associated with it. The instructor clicks the Add button, which displays the Add
Excluded Name Suffix dialog box. The instructor enters 'support.easynomadtravel.com' as the
name suffix and clicks OK. As a result, the name is auto-populated in the 'Name suffixes to
exclude from routing to easynomad.com' field in the Edit easynomadtravel.com dialog box. The
instructor clicks OK and navigates back to the Name Suffix Routing tab in the ent.local
Properties dialog box. The value in the 'Status' column for '*.easynomadtravel.com' suffix
changes to 'Exceptions'. Next the instructor navigates to the Authentication tab, which contains
two options, Forest-wide authentication and Selective authentication, where the Selective
authentication option is already selected.]

Now the last thing I want to show you is what to do in the event you use Selective
authentication, I'm not quite finished. The reason I'm not finished is because even though I
selected Selective authentication, I have to go one step further. I have to go to the server
where authentication is going to take place and specifically permit those users from the other
domain, and grant them access to the specific resource server. If I don't do this then selective
authentication will prevent them. So to grant them access I'm going to go to the specific server.
In this scenario, I'm using APP3, this application server, and I need to go to the Properties of
this server and I need to go to its Security tab. The Security tab needs to be exposed by
going to View – Advanced Features, it'll go back in there again, and there it is.

[The Authentication tab of the ent.local Properties dialog box is displayed with two options,
Forest-wide authentication and Selective authentication, where the Selective authentication
option is already selected. The instructor clicks OK in the ent.local Properties dialog box, then
clicks OK in the corp.brocadero.com Properties dialog box, and navigates the Active Directory
Domains and Trusts window. The instructor minimizes the Active Directory Domains and
Trusts window and navigates to the AD DS tabbed page in the Server Manager window, which
contains a table with four columns, Server Name, IPv4 Address, Manageability, and Last
Update, and one row. The row contains DC1 as the Server Name, 10.0.3.1 as the IPv4
Address, 'Online – Performance counters not started' in the Manageability column, and
'11/26/2013 6:1…' in the Last Update column. The instructor right-clicks the first row and then
the instructor selects the 'Active Directory Users and Computers' from the shortcut menu. As a
result, the Active Directory Users and Computers window is displayed with 'Active Directory
Users and Computers' as the root node and two sub-nodes, Saved Queries and
corp.brocedero.com. The corp-brocadero.com sub-node is expanded and contains the
following folders: Builtin Computers Domain Controllers ForeignSecurityPrincipals Managed
Service Account Users The Users folder is already selected and its contents are displayed in a
tabular format in the right section. The table contains three columns, Name, Type, and
Description. The instructor expands the Computers folder whose contents are displayed in a
tabular format in the right section. The table contains three columns, Name, Type, and
Description. The first row contains APP3 as the name, the second row contains CLIENT3 as
the name, the third row contains DC10 as the name, the fourth row contains DC11 as the
name, and the fifth row contains EDGE2 as the name. The Type column contains 'Computer'
as the common value for all the five computer names and the Description column is empty.
The instructor right-clicks the APP3 computer and selects the Properties option from the drop-
down list. As a result, the APP3 Properties dialog box is displayed, which contains seven tabs
– General, Operating System, Member Of, Delegation, Location, Managed By, and Dial-in. The
General tab is already selected. The instructor closes the dialog box, clicks the View menu,
and selects the Advanced Features menu option. Then the instructor right-clicks the APP3
computer again and selects the Properties option from the shortcut menu. As a result, the
following tabs are displayed in the APP3 Properties dialog box: General, Operating System,
Member Of, Delegation, Password Replication, Location, Managed By, Object, Security, Dial-
in, and Attribute Editor. The instructor selects the Security tab, which contains the Group or
user names list box and a table with three columns, Permissions for Everyone, Allow, and
Deny. The Group or user names list box also contains two buttons, Add and Remove,
associated with it.]

Now once I have done that, now I can actually grant the users from the other domain. I'm going
to choose Locations; because if the trust is working, I can see the other forest. And now I can
actually grab and I need to, actually, have credentials from that other domain. So somebody
who can read the objects in the other domain, I'm just going to use the default administrator
account. There we are. So there is the group I need to grant access. This is from the other
domain and I want to be sure to allow them to authenticate, Allowed to authenticate.

Now I can go into the APP3 server and specify exactly what file, folder, application they have
access to. But the Allowed to authenticate is the secondary part of setting up Selective
authentication. It is not necessary if I'm doing Forest-wide authentication. But this
specifically limits who can authenticate against this server from the other domain, and the
other forest, and that makes my environment more secure.

[The Security tab of the APP3 Properties dialog box is displayed. The instructor clicks the Add
button, which displays the Select Users and Computers, Service Accounts, or Groups dialog
box. The 'Select this object type' field has value 'Users, Groups, or Built-in security principals'
and the 'From this location' field has value 'corp.brocadero.com'. The instructor clicks the
Location button, which displays the Locations dialog box displaying the already selected
location. The instructor selects ent.local as the location and clicks OK. The instructor enters
'easynomad' in the 'Enter the object names to select' field and clicks the Check Names button.
As a result, the Windows Security dialog box is displayed that prompts the instructor to enter
the network credentials. The instructor enters 'ent\administrator' as the user name, the
corresponding password, and clicks OK. As a result, the 'Enter the object names to select’ field
gets populated with 'EasyNomad Devs' as the object name. Then the instructor clicks OK and
navigates to the APP3 Properties dialog box. The instructor selects the new group
'EasyNomad Devs' from the 'Group or user names' list and then selects the 'Allow' option for
the 'Allowed to authenticate' permission. Then the instructor clicks OK to save the changes
and navigates back to the Active Directory Users and Computers window.]
Windows Server 2012 R2 AD Domains and
Trusts
Learning Objective
After completing this topic, you should be able to
◾ recognize how to configure AD domains and trusts

1. AD domains and trusts

Now let's try an exercise on implementing Active Directory, or AD, in Windows Server 2012
R2.

You are working in the IT department of EasyNomad Travel. You are in the process of
upgrading

the Windows Server 2008 R2 AD network with some Windows Server 2012 R2 servers.

You intend ultimately to change the functional levels to Windows Server 2012 R2.

Question

You first need to plan the domain and forest topology and Group Policy Objects, or
GPOs. Which statements accurately describe domains and forests?

Options:

1. Group policies can be linked to the domain

2. Password policy applies to the domain
3. Group policies can be linked to the forest
4. Schema is domain wide

Answer

Option 1: Correct. Group policies can be linked at organizational unit, or OU, site or
domain level.

Option 2: Correct. Password policies apply at the domain level and you can have
multiple password policies in a domain.

Option 3: Incorrect. Group policies can only be linked to an organizational unit, or

OU, site or domain.
 Option 4: Incorrect. The Active Directory, or AD, schema contains formal definitions
of every object and is forest wide.

Correct answer(s):

1. Group policies can be linked to the domain

2. Password policy applies to the domain

Question

You start to roll out the servers. You raise the forest and domain functional levels to
Windows Server 2012 R2. You now need to roll back the domain functional level to
Windows Server 2008 R2.
How can you do this?

Options:

1. Roll back the forest functional level to Windows Server 2008 R2 before rolling
back the domain functional level
2. There is no rollback option
3. Install a Windows Server 2008 R2 domain controller and roll back

Answer

Option 1: Correct. The procedure is to roll back the forest functional level, then the
domain functional level.

Option 2: Incorrect. You can roll back by first rolling back the forest functional level,
then the domain functional level.

Option 3: Incorrect. You do not need to install a Windows Server 2008 R2 domain
controller to roll back the functional level.

Correct answer(s):

1. Roll back the forest functional level to Windows Server 2008 R2 before rolling
back the domain functional level
Question

You need to plan trust relationships between existing and new domains. Match the
trust relationship types to their descriptions.

Options:

A. Forest trust
B. External trust
C. Shortcut trust
D. Realm trust

Targets:

1. Used to share resources between Windows Server 2012 R2 forests

2. Used to provide access to resources that are located on a Windows NT 4.0
domain
3. Used to improve user logon times between two domains
4. Used to form a trust relationship between Active Directory and other non-
Windows Kerberos domains

Answer

Forest trusts are used to link two disjoined Windows Server 2012 R2 forests.

External trusts are used to link to NT 4.0 domains that cannot participate in forest
trusts.

Shortcut trusts are one-way or two-way trusts used to optimize the authentication
process. Instead of traversing a trust path between forests, a trust can be made
directly to a domain you want users to authenticate to.

Realm trusts are used for inter-operability with non-Windows, non-Kerberos realms.

Correct answer(s):

Target 1 = Option A

Target 2 = Option B

Target 3 = Option C

Target 4 = Option D
Question

There are several advanced configuration options for trust relationships. Match the
trust relationship configuration option to its description.

Options:

A. Name suffix routing

B. Security identifier, or SID, filtering
C. Selective authentication

Targets:

1. Enables or disables authentication request routing within the forest

2. Prevents malicious users assigning themselves rights in a trusting domain
3. Restricts resource access to those with explicit permissions

Answer

Name suffix routing manages how authentication requests are routed across forests
and forest trusts.

Security identifier, or SID, filtering prevents malicious users using the SID history
attribute to gain access to resources for another account.

Trusts provide a pathway for any user from the trusted to be authenticated in the
trusting forest. Selective authentication provides administrators in the trusting forest
more control over which groups in the trusted forest can access resources.

Correct answer(s):

Target 1 = Option A

Target 2 = Option B

Target 3 = Option C

© 2018 Skillsoft Ireland Limited